IT vs. OT Differences, Superficial vs. Fundamental
Andrew Ginter
VP Industrial Security, Author, CS2AI Founding Fellow, Industrial Security Podcast co-host, MS, CISSP, ISP, ITCP
The fundamental difference between OT and IT networks is the worst-case consequences of cyber attacks
Much has been written about the differences between conventional IT networks and Operational Technology (OT) or industrial control system (ICS) networks: patching is harder in OT networks, anti-virus is harder, even simply using accounts and passwords is harder, OT networks use very old protocols and computers, and there can be enormous resistance to change from the people who manage these networks. These differences are, however, all superficial. The fundamental difference between these two kinds of networks is consequences: most often, the worst-case consequences of cyber attacks are sharply, qualitatively different on IT vs OT networks.
Worst-Case Consequence
What is the difference? Ransomware hits our IT network and what do we do? We detect, respond, and recover. We identify the affected computers and isolate them. We take forensic images for the security analysts, and we erase the equipment. We restore from backups. We repeat. This costs time and effort. The attack may have stolen intellectual property and/or personally identifiable information (PII), and we suffer lawsuits as a result. These are all business consequences. Said another way, on IT networks, the goal for managing cyber risk is to prevent business consequences by protecting the information – protecting the confidentiality, integrity, and availability of business information.
On OT networks, however, the worst-case consequences of compromise are very often physical. Explosions kill people, industrial malfunctions cause environmental disasters, the lights go out, aircraft drop out of the sky, or our drinking water is contaminated. The cyber risk management goal for OT networks is generally to assure correct, continuous, and efficient operation of the physical process. The goal is not to “protect the information” but rather to protect people, the environment, physical assets and physical operations from information, more specifically from cyber attacks that may be embedded in information. The fundamental difference between IT and OT networks is that neither human lives, damaged turbines, nor environmental disasters can be “restored from backups.”
Magic Wand?
Consequence drives superficial IT/OT differences, most often because of change. Every change is a potential threat to safe and reliable operations, and industrial software and systems are so complex that there is no way to prove their correctness under all possible normal and upset operating conditions. Engineering teams must therefore analyze changes at length, looking for possible unacceptable consequences, and test the proposed changes under operating conditions as realistic and diverse as practical, to become confident that the analysis is correct.
领英推荐
Why is this important? Well, even if we could somehow wave a magic wand and render all industrial networks fully patched, fully anti-virused, fully encrypted, and otherwise completely up to date with modern IT cybersecurity mechanisms, the fundamental difference between IT and OT networks would remain. When worst-case consequences of compromise in OT networks are unacceptable, the difference in consequence between IT and OT networks, today and always in the days ahead, will demand a different approach to risk management in safety-critical and reliability-critical networks versus business networks.
Consequence Determines Criticality
Worst-case consequence is every CPU in the automation system issuing all of the worst possible instructions to the physical process, at the worst possible time. Worst-case consequence determines the criticality of OT networks and that criticality determines the nature and strength of OT security programs demanded for OT systems.
Now, to be fair, not all OT systems have unacceptable worst-case consequences. If we can design our physical processes to eliminate the possibility of unacceptable safety outcomes, or unacceptable equipment damage, or other unacceptable outcomes, then our OT systems have the same kind of worst-case consequences as our IT networks, and these OT systems can be managed in much the same way as we manage our IT networks. Most often though, worst-case consequences in OT are unacceptable, and the difference between IT and OT networks is intrinsic, not superficial.
Want more details?
To learn more about consequence-driven designs for critical OT networks, click here to request a free copy of my latest book Engineering-Grade OT Security: A manager’s guide.
Securing industrial environments with a pragmatic OT/ICS mindset
6 个月Hi Andrew. Thanks for your article and the work you do - I agree with many of your points. Looking forward to meeting up with you this week at s4x24. I encourage all #otsecurity practitioners such as yourself to stop using 'vs.' when comparing and contrasting IT and OT. From my perspective, the use of 'versus' creates an inherently adversarial paradigm. IT and OT are different - but if/when we do it right, both parts of the org drive to minimise business risk, and support safe, secure, reliable operations (multiple versions of the term). It shouldn't be an us vs. them - otherwise, we risk divergence and poor outcomes within both 'cylinders of excellence' as well as the business as a whole (my favourite euphemism for silos).
Building insight with industry thought leaders, driving content-centric connections
7 个月Thanks for this, Andrew. It's definitely true that restoring a failed unit or even rebuilding after a ransomware attack pales in comparison with the catastrophic situation that would result if power was turned up to max and cooling was shut down... https://kyivindependent.com/military-intelligence-cyber-attack-on-russian-space-hydrometeorology-research-center-deals-devastating-consequences/